Ram Charan: The Business of Security

Lynn Mattice, CSO of Boston Scientific, quizzes the man Fortune magazine calls "the most influential business consultant alive" about how security executives can better serve the business

What happens when you bring together one of the business world's luminaries—Ram Charan, whom Fortune magazine calls "the most influential business consultant alive"—and one of the country's top CSOs, Lynn Mattice of Boston Scientific?

Still a fair amount of disconnect. It turns out that even the most business savvy of CSOs (Mattice won a 2007 CSO Compass award for his work on business alignment) still looks at things on a profoundly different level than a globe-trotting consultant who spends most of his time with CEOs and boards of directors. That much became clear during a ground-breaking teleconference between the two men, moderated by CSO magazine's Sarah D. Scalet.

Mattice, for instance, seemed to take it as a given that information-technology leaders have made their way into the executive suite, serving as something of a role model for security leaders. Charan, on the other hand, cited IT as an example of a function that needs to do a better job of rotating its people into other business areas, to get better business savvy. Likewise, some broad, big-picture initiatives for strategic CSOs—such as the work of the Council on Competitiveness on business resiliency—are not even on Charan's radar.

Nevertheless, the two men found plenty to chew on, as the conversation made its way from how boards of directors view security (peripherally), to how CSOs can evolve (by leaving security behind), to how to implement change (without just latching onto the business fad of the day). Below are excerpts from the call.

Mattice: One of the failures identified in your book Execution resulted from the inability of individuals within an organization to envision where they needed to go. One of the things that security departments have been trying to do is evolve away from the "corporate cop" image. What are the expectations, as you see them, from the executive suite on the corporate security function today?

Charan: The most important part is the expectation about the reputation of the company. How does lack of security help or hurt the reputation of the company? Reputational risk is very important to companies today, so the security people, in addition to compliance, need to consider the appropriate focus on reputation. That should be a part of the annual report to the board on risk: how they are linking with the reputational risk assessment and what they are doing. Very clear, very simple, very direct. That's the key.

Mattice: We've seen other organizations throughout the years evolve and gain a more critical position within corporations, elevating up the levels of corporation to join the executive suite. We have seen this happen with IT, with audit, and in the old days with finance. What are your recommendations on how security leaders should change their focus to be able to move up the ranks?

Charan: Security people have to really master how the business makes money. Move the security people in their early careers across the functions, then bring them back. If you rotate them into other functions and they succeed, you make a broader person, and that person has a real opportunity to move up the ladder.

CSO: If they succeed in another function, doesn't the security department run the risk of losing that person?

Charan: That's a good idea. Lose them. You would create better people. It's a very narrow thinking of one department "losing" a person. How many CFOs have become CEOs? Let's really kill that narrow thinking.

Mattice: Eliminate the stovepipes.

Charan: The stovepipes, that's what hurts. That's why people don't move out of IT and HR—because they don't rotate their people and think of the company as a whole. Your CEO, Jim Tobin—look at his background. He's a CEO today. What was his background? He came from Baxter [International].

Mattice: He started off in finance over there.

Charan: You got it. He wouldn't get the job unless he was broader. He wouldn't be making the moves he has made so successfully. The idea here is that to be able to bring your chair to the table, you've got to learn the business. You've got to be interested in the business, as you, Lynn, have been interested, and you've got to have the rotation early in your career. Companies that do not do this do not do as well. It's very common at successful companies like General Electric, like Target, like Wal-Mart—these people all do the rotation. The CEO of Wal-Mart used to be a logistics person. He drove trucks.

Mattice: Understanding all of the elements of the business so that you can address their concerns and issues as they evolve.

Charan: Yes, but it's more than that. They've got to work in more than one function, not only understanding but absorbing it. Living with it.

Mattice: I worked for one company where one of the requirements was that at least once a year, everybody from the corporate offices had to go out and spend at least a day on the factory lines so that we didn't forget how we made the money.

Charan: I think that's helpful. I'm thinking something deeper. That is, you're going to go work for a couple years in other functions.

CSO: It's interesting to me that Lynn mentions IT as an example of a function that has moved up the ranks to join the executive suite, but Ram, from your perspective, it sounds like you don't see that people are moving out of IT into other functions, either. Are we understanding correctly?

Charan: What I'm saying is to move people early in their careers, from one function to the other. Every function needs to do this more. It's most commonly done in the finance function.

Mattice: We've created an organization called the CSO or Security Executive Council, founded by CSO magazine, to do research for the security profession. What we're seeing more and more today is that people being put into security positions are coming out of nontraditional roles. They're coming out of the business and being assigned to run this business unit that's called security.

CSO: What does that say about the maturity of the security function, if other executives are rotating into security, but security executives aren't rotating out of it yet?

Charan: I'm talking about moving people early in their careers, not at a higher level. If companies are bringing people from outside the security function at higher levels, that might mean the internal people of security were not considered as good. But I don't want to go there, because I don't know the details. There are so many factors.

Mattice: An additional piece of the council's research involves understanding business intelligence and risk and developing a network of information flow so that you can analyze the risk that the company is facing. We see this area as one of the key elements that the security organization can bring to the table with the board and executive committee.

Charan: My sense is that some boards have a risk committee, and usually a general counsel of the company pulls all the risks together in collaboration with the CFO. That is how security fits in.

Mattice: That's where you think we would then flow the information to?

Charan: Exactly. First you've got to see what is the risk committee, if there is any. If there is none, then you look at the audit committee. And with that you have the CFO for sure, and maybe general counsel, and then link to that. The board doesn't want to see all kinds of risks. The board wants to see a unified piece of information and framework.

Mattice: How do you see boards and executive management assessing risk?

Charan: I think the boards are just getting going on it. They are using the risk committee, with inside and outside help, to create a framework for evaluating risk. In one case, I know where a lead director actually has gone and visited the site, particularly in the environmental safety and health arena. But other than brand and reputational risks, and the financial risk evaluation, there's not much high intensity to the overall risk yet.

Mattice: When I read your book What the CEO Wants You to Know, it was very clear that there are a broad range of elements leaders need to have. From your view, what are the most critical elements that need to be in place for the next generation of security leaders?

Charan: As I mentioned, first there's the business side of it. Second, security leaders have to be very externally oriented, because a number of risks come on a surprise basis. Some are anticipated, but a good deal are not. Third, they need to take a more active role in working with line people to get them to anticipate risks in the factoring of their strategy and their execution.

Mattice: I'm sure you're familiar with an effort that the Council on Competitiveness is working on about resiliency. What role would you see a security executive play in dealing with the issue of business resiliency?

Charan: I do not know that particular effort. What's the effort?

Mattice: The essence of it is ensuring that companies understand their environments, the risks to their environments and the issues that can disrupt their business.

Charan: Yes. They have to understand the business; they have to look on the outside constantly; they're going to work with the line people to get them to see that their business actions, both strategically and operationally, take into account the possible risks.

Mattice: One of the things that they're saying is that security can be a profit enhancer for corporations.

Charan: No question about that. For example, if you have a construction company that is building some important item for some other company, and the security is very important and the risk is reduced and you build a building a month ahead of time, it's a huge profit enhancer.

Mattice: There are a number of programs that security organizations participate heavily in that can have a very positive impact, like the Customs Trade Partnership Against Terrorism (C-TPAT), where if you have the right programs in place, your containers and shipments bypass all the customs controls....

Charan: You go work with the logistics people, anticipate, look at the external environment and say what has to be done strategically. Plus it will allow you to decide what kind of insurance you're going to have.

Mattice: It can reduce your velocity in the business. If you can speed up your delivery [of] the raw goods or finished OEM goods, you can speed things to market and have to have less in the pipeline, which frees up a lot of capital.

Charan: Yes. So once again we go to the same principle. Know the business.

Mattice: You think it's going to be much more complex than this.

Charan: It's not. It's really not.

Mattice: One of the things that I've seen over the years is that as new approaches come forward—whether it's lean manufacturing or TQM or Six Sigma—people throughout companies normally tend to throw somewhat of a jaundiced eye on these things because they look like the management's program of the month. What is your view on the best way to implement change within an organization and put new programs in place?

Charan: The first thing you ought to do is recognize that these are tools. If they are not used as tools, they become a fad. First you need to define what need or problem you're solving for the business, and for that need or problem, you decide what tool you're going to use. You convince the people of the need or the problem or the opportunity, and then have them engage the tools that are best suited. Train the people on the tools. When they're committed, you will see the change.

Six Sigma is a fad, if you don't answer the previous question. So you have a [Jack] Welch [former CEO of GE] coming into Six Sigma—and Larry Bossidy [coauthor of Charan's book Execution and former CEO of Honeywell International] actually persuaded him to do that—but he saw Six Sigma as a huge tool to streamline processes, particularly with customers. That had a huge impact on eliminating waste, creating common systems and processes, thus requiring and resulting in better margins, better profits, and more importantly better service. He defined the need or problem or opportunity, then he searched for a tool, not the other way around.

Mattice: OK. It's not trying to pick up the tool and force it into the environment....

Charan: You will fail on that.

Mattice: How do you find the right tools?

Charan: You search today on the Internet. You say, this is my problem; what are the tools? There's so much written about these things coming from various parts of the press. Or just call a consulting firm; they will tell you that. Or Harvard Business Review. If you don't find them in those places, then you search. For example, in 1990, the CEO of American Standard, Emmanuel Kampouris, toured the world to find the tools of what became lean [manufacturing]. He had a debt problem, and he did not want to sell the pieces of the business. But he could generate cash by changing the production systems and creating high inventory turns. He went all over the world, and he found a guy in Colorado who knew what was "just in time" [manufacturing] and how to do that. It's no different from anything else. People search for new ideas, new tools.

If a human being can't find those in the Internet age, we have a different problem.

Copyright © 2007 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)